Highly available Kubernetes cluster - 4. kubectl client tool

six. Deploy the kubectl client tool

1. Download

[root@kubenode1 ~]# cd /usr/local/src/
[root@kubenode1 src]# wget https://storage.googleapis.com/kubernetes-release/release/v1.9.2/kubernetes-server-linux-amd64.tar.gz
[root@kubenode1 src]# tar -zxvf kubernetes-server-linux-amd64.tar.gz

# All executable files such as kubectl are in the server/bin directory under the decompression directory, including kube-apiserver, kube-controller-manager, kube-scheduler, kube-proxy and kubelet, etc. 
[root@kubenode1 src] # mv /usr/ local/src/kubernetes/server/bin/ /usr/local/src/kubernetes/ 
[root@kubenode1 src] # rm -rf /usr/local/src/kubernetes/server/ 
[root@kubenode1 src] # mv /usr /local/src/kubernetes/ /usr/local/

2.  Create kubectl TLS certificate and private key

1) Create a kubectl certificate signing request

[root@kubenode1 ~]# cd /etc/kubernetes/admin/
[root@kubenode1 admin]# touch admin-csr.json

# kube-apiserver uses RBAC to authorize client (such as kubelet, kube-proxy, etc.) requests;
# kube-apiserver predefines a part of RBAC, including Role/ RoleBinding, ClusterRole/ ClusterRoleBinding;
# For example, ClusterRoleBinding binds Group system:masters to ClusterRole cluster-admin, and ClusterRole cluster-admin has all permissions to access kube-apiserver, so "CN": "admin" user also has all permissions to access kube-apiserver, Can be used as a cluster super administrator; 
# O specifies that the certificate's Group is system:masters. When kubelet uses this certificate to access kube-apiserver, the certificate is signed by the CA, so the certificate is passed, and because the certificate user group is a pre-authorized system :masters, so are granted access to all APIs; 
# hosts property value is an empty list, i.e. no ip or hostname restrictions 
[root@kubenode1 admin] # vim admin-csr.json 
{
     " CN " : " admin " ,
     " hosts " : [],
     " key " : {
         " algo " :"rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "ChengDu",
            "L": "ChengDu",
            "O": "system:masters",
            "OU": "cloudteam"
        }
    ]
}

2) Generate kubectl certificate and private key

[root@kubenode1 admin]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin

# 分发admin.pem，admin-key.pem
[root@kubenode1 admin]# scp admin.pem admin-key.pem [email protected]:/etc/kubernetes/admin/
[root@kubenode1 admin]# scp admin.pem admin-key.pem [email protected]:/etc/kubernetes/admin/

3.  Create the kubectl kubeconfig file

When the kubectl client tool communicates with TLS, if the kubeconfig file is not configured, it is cumbersome to specify the address of the api-server and the client's certificate when accessing the api-server.  

#Configure cluster parameters; # --server: Specify api-server, use vip after ha; # Customize the 
cluster name, which must be consistent after setting; 
# 
--kubeconfig : Specify the kubeconfig file path and file name; if not set , generated by default in ~/.kube/config file 
[root@kubenode1 admin] # kubectl config set-cluster kubernetes \ 
--certificate-authority=/etc/kubernetes/ssl/ ca.pem \
 --embed-certs= true \
 --server=https://172.30.200.10:6443 \
 --kubeconfig= admin.conf


#Configure the client authentication parameters; #The authentication user is "admin" in the previous signature; 
#Specify the corresponding public key certificate/private key, etc. 
[root@kubenode1 admin] # kubectl config set-credentials admin \ 
--client-certificate= /etc/kubernetes/admin/admin.pem \
 --embed-certs= true \
 --client-key=/etc / kubernetes/admin/admin- key.pem \
 --kubeconfig= admin.conf

#Configure context parameters 
[root@kubenode1 admin] # kubectl config set-context admin@kubernetes \ 
--cluster= kubernetes \
 --user= admin \
 --kubeconfig= admin.conf

#Configure default context 
[root@kubenode1 admin] # kubectl config use-context admin@kubernetes --kubeconfig=admin.conf

#Distribute the kubeconfig file to all client nodes running kubectl; 
# kubectl obtains the access kube-apiserver address, certificate, username and other information from the ~/.kube/config configuration file by default. When distributing, please pay attention to modify the path/file name 
[ root@kubenode1 admin] # cp /etc/kubernetes/admin/admin.conf ~/.kube/config